Method and system of decentralized malware identification
Abstract
Non-limiting embodiments of the present technology are directed to a system and a method for ensuring cybersecurity, namely, to a method for distributed malware inspection and a system implementing the method. The method comprises receiving input data identifying a potential malware; checking the potential malware based on the input data; adding check parameters and at least one result of the potential malware check into the transaction pool; receiving results of the distributed check of the potential malware from the plurality of networked computer devices; determining a harmfulness parameter based on results of the distributed malware check of the potential malware; in response to the harmfulness parameter of the potential malware exceeds a predetermined threshold value, identifying the potential malware as malware; storing the identified malware and associated data related to the identified malware in the distributed malware register.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. A method of executing a distributed malware check, the method executable by a given computer device of a plurality of computer devices forming a distributed network, the plurality of computer devices being communicatively coupled amongst each other via a peer-to-peer connection, the given computer device of the plurality of computer devices including: (i) a respective individual copy of a distributed malware register database, the distributed malware register database being for storing data of malware identified by each one of the plurality of computer devices of the distributed network; and (ii) a respective individual copy of a transaction pool database, the transaction pool database being for storing parameters of the plurality of computer device, the method comprising:
receiving, by the given computer device, input data identifying a potential malware;
analyzing, by the given computer device, using a given set of check parameters, the input data to determine if the potential malware is malware;
adding, by the given computer device, the input data, the given set of check parameters, and at least one result of the analyzing into the respective individual copy of the transaction pool database, thereby causing replication of the given set of check parameters and the at least one result of the analyzing in respective individual copies of the transaction pool database of other ones of the plurality of computer devices of the distributed network enabling the other ones of the plurality of computer device to analyze the input data of the potential malware using the given set of check parameters;
receiving, by the given computer device, respective results of analyzing, by at least some of the other ones of the plurality of computer devices, the input data to determine if the potential malware is the malware;
aggregating the at least one result of the analyzing the potential malware by the given computer device and the respective results from the at least some of the other ones of the plurality of computer devices of the distributed network to determine a harmfulness parameter associated with the potential malware;
in response to the harmfulness parameter of the potential malware exceeds a predetermined threshold value, identifying, by the given computer device, the potential malware as being the malware;
storing, by the given computer device, data of the identified malware in the respective individual copy of the distributed malware register of the given computer device, thereby causing replication of the data of the identified malware in respective individual copies of the distributed malware register of the other ones of the plurality of computer devices for further use in identifying the malware.
2. The method of claim 1 , wherein the receiving the input data comprises receiving the input data from at least one sources selected from one of: one of the plurality of computer devices in the distributed network, at least one client device, a pre-populated database, a remote server, and a computer-readable medium.
3. The method of claim 1 , wherein the input data contains at least one pointer of the potential malware.
4. The method of claim 1 , wherein the input data additionally contains at least one of:
a malware signature;
a malware attribution data.
5. The method of claim 1 , wherein the receiving the input data comprises receiving the input data at least partially in a hashed form.
6. The method of claim 1 , wherein the method further comprises hashing at least a portion of the input data in response to the at least the portion of the input data having been received in a non-hashed form.
7. The method of claim 1 , wherein after receiving the input data, the method further comprises receiving, from at least one additional source accessible to the given computer device, additional input data associated with the potential malware.
8. The method of claim 7 , wherein the analyzing the input data of the potential malware, by the at least some of the other ones of the plurality of computer devices, is executed taking into account the additional input data.
9. The method of claim 1 , wherein the given computer device is configured to run an individual machine-learning algorithm trained to determine if a given piece of software is the malware, and the analyzing the input data of the potential malware includes using the machine-learning algorithm.
10. The method of claim 9 , wherein the method further comprises updating a training sample of the machine-learning algorithm based on the results of the analyzing the input data by the at least some of the other ones of the plurality of computer devices.
11. The method of claim 1 , wherein the analyzing the input data of the potential malware is executed in an automated way.
12. The method of claim 11 , wherein the analyzing the input data of the potential malware is executed, at least partially, in a manual way.
13. The method of claim 1 , wherein the analyzing the input data to determine if the potential malware is the malware comprises at least one of:
determining harmfulness of the potential malware;
validating a signature of the potential malware;
determining attribution data associated with the potential malware.
14. The method of claim 13 , wherein the determining the attribute data is based on the data associated with the potential malware, the data having been received from one of:
the input data;
the distributed malware register;
a malicious resource database communicatively coupled to the distributed network.
15. The method of claim 1 , wherein the storing further comprises: acquiring and storing additional data associated with the potential malware, the acquiring being from at least one additional source, accessible to the given computer device.
16. The method of claim 1 , wherein determining the harmfulness parameter is based on at least one of:
a number of the at least some of the other ones of the plurality of computer devices that downloaded, from their respective individual copies of the transaction pool database, data associated with the potential malware;
a reputation of each one of the at least some of the other ones of the plurality computer devices that downloaded the data associated with the potential malware;
a number of the at least some of the other ones of the plurality computer devices that confirmed the at least one result rendered by the given computer;
a reputation of the at least some of the other ones of the plurality computer devices that confirmed the at least one result.
17. The method of claim 1 , wherein the method further comprises, after the storing, charging tokens to each one of the given computer device and the at least some of the other ones of the plurality of computer devices of the distributed network where the results were obtained, the tokens corresponding to the harmfulness parameter determined based on the results of the analyzing the input data.
18. A computer device for distributed malware check, the computer device being one of a plurality of computer devices forming a distributed network, the plurality of computer devices being communicatively coupled amongst each other via a peer-to-peer connection, the computer device of the plurality computer devices including: (i) a respective individual copy of a distributed malware register database, the distributed malware register database being for storing data of malware identified by each one of the plurality of computer devices of the distributed network; and (ii) a respective individual copy of a transaction pool database, the transaction pool database being for storing parameters of the plurality of computer device, the computer device comprising a communication interface and a processor functionally coupled to the communication interface, the processor being configured to:
receive input data identifying a potential malware;
analyze, using a given set of check parameters, the input data to determine if the potential malware is malware;
add the input data, the given set of check parameters, and at least one result of the analyzing into the respective individual copy of the transaction pool database, thereby causing replication of the given set of check parameters and the at least one result of the analyzing in respective individual copies of the transaction pool database of other ones of the plurality of computer devices of the distributed network enabling the other ones of the plurality of computer device to analyze the input data of the potential malware using the given set of check parameters;
receive respective results of analyzing, by at least some of the other ones of the plurality of computer devices, the input data to determine if the potential malware is the malware;
aggregate the at least one result of the analyzing and the respective results from the at least some of the other ones of the plurality of computer devices of the distributed network to determine a harmfulness parameter associated with the potential malware;
in response to the harmfulness parameter of the potential malware exceeds a predetermined threshold value, identify the potential malware as being the malware;
store data of the identified malware in the respective individual copy of the distributed malware register of the computer device, thereby causing replication of the data of the identified malware in respective individual copies of the distributed malware register of the other ones of the plurality of computer devices for further use in identifying the malware.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.